Defending against an Account Takeover attack
Password reuse is making us an easy target for cybercriminals
For years the experts have been rightly telling us to use strong and unique passwords, but they have often focussed largely on the topic of password strength and less so on uniqueness. This is probably because it is relatively easy to guide someone in the creation of a strong password, but much more difficult when it comes to uniqueness.
The challenge with uniqueness is that it is practically impossible to achieve unaided. Most people have about half a dozen passwords committed to memory and yet have dozens of password-protected systems that they need to log into. This mismatch is going to cause password reuse every time. But where’s the harm in reusing passwords? We’ve been doing it for years, right?
The problem with reusing passwords is that it leaves us wide open to account takeover (ATO) attacks.
If you fall victim to an account takeover, someone else gains complete control of your account and you get locked out – this could be your social media account, your email inbox or your online shopping accounts. Or any other account that you have secured with a reused password.
In 2016, ATOs accounted for more than $2.3 billion in losses. Incidents of successful ATO attacks grew 31% on the prior year. ATO is a growing problem.
So why are ATOs even possible at this scale?
There are two reasons.
The first reason is password reuse.
If we reuse the same password on 20 websites and one of those websites (inevitably) gets hacked, then the other 19 websites that have been secured with the same credentials become immediately vulnerable to ATO.
This was Mark Zuckerberg’s downfall. He used the same password to secure LinkedIn, Pinterest and Twitter. And then LinkedIn got hacked, and he lost control of – you guessed it – Pinterest and Twitter.
The second reason
The second reason that ATOs are possible is the wide availability of stolen credentials and the practice of automated credential testing using a technique called ‘credential stuffing’.
Credential stuffing is a software-assisted process for validating login credentials. The software works by firing credentials (username and password pairs) at a website’s login screen to see which ones do and don’t permit access. Because of password reuse, the credentials taken from one website are going to be valid on another website in about 1% of cases.
Put another way, a list containing one thousand credentials might give access to ten Netflix accounts, ten Spotify accounts, ten Domino’s Pizza accounts, ten Pandora accounts and so on. Even a small list of credentials can go a long way.
So where would ‘someone’ find a list of one thousand credentials?
Stolen credentials are not hard to find. The bad guys have been stealing them for years. There are over 4.5 billion of them available for purchase on the web. They show up for sale in forums and can be programmatically harvested from pastebin (an anonymous digital dumping ground). For those that know what they are doing, getting hold of one thousand credentials is very light work.
Yeah, but what’s the worst that could happen?
If ‘someone’ discovers your credentials in a credential stuffing attack, that ‘someone’ is then able to log into your account and do absolutely anything that the website permits - which might include viewing and changing personal and financial details, buying stuff, transferring money, sending email, posting pictures, chatting with the kids and so on. Any bad stuff that happens in an ATO attack is difficult to prove because the account was accessed in the normal way. How does the Retailer know for sure that it wasn’t you that ordered that laptop? How can the credit card know that the purchase was fraudulent? It just looks like a normal transaction.
So how do we defend against an ATO?
The good news is that there is a way to defend against an account takeover. The bad news is that, to make it work, you’re going to have to change the habit of a lifetime.
To protect against an account takeover, we need to be using unique passwords. This means that we need a different password to secure each system that we care about. This, in turn, means that we can no longer rely on our memory for storing passwords. This is the life-long habit that we need to kick before we can defend against an ATO.
The good news is that you can learn how to do this in minutes by watching this quick tutorial
The bad news is that you are the one that is going to have to do this. Or get comfortable with the inevitability of falling victim to an account takeover attack. Your call. I know what I prefer.
More free cybersecurity awareness training can be found at https://www.passwordcoach.com/